Westerhof

I’m very happy to share that I’ve gotten a new (and first) certification under my belt!

Mid-January 2025 I passed for my eWPT exam, and it was a refreshing experience for me.

As outlined in my Plans for 2025 post, I’m eager to get more certifications under my name so I can cement my existing skills, learn new tricks and share anything new my teammates. Because I had no certifications (certs) yet, I went for eWPT from INE.

Let’s talk about it!

The Course

The course covers the fundamentals of being a penetration tester. It takes you over all steps at the core of a web application penetration test, such as methodologies, processes and enumeration. Not to mention the meat and potatoes being the core web vulnerabilities, such as Cross Site Scripting and SQL injection. You’ll learn how they work, how to find them and how to exploit them. As such, I think it’s important to point out that the goal was to find vulnerabilities during a pentest so that you could report them. It’s goal was not for you to pop shells and to do a privilege escalation on the host.

This is done in the form of a videos, quizzes and hands-on labs. The videos are well structured and clear, with the training going through all the essentials of a topic. He would also give tidbits of real-world experience here and there making them very worthwhile to watch.

Following the videos, you’ll have a quiz with a few multiple choice questions. If you paid good attention during the videos, you’ll ace these with no issue. This leads to the lab, which is where you can test your knowledge of the vulnerability against a range of applications. These are mostly open source vulnerable web applications, such as DVWA or OWASP Multidae II, but can also be real-world applications with a known vuln in them.

These labs came with an answer sheet allowing you to check your work against that of the instructor. Most, if not all, had a video of the instructor going through the lab explaining his steps.

My experience

The course reminded me a lot of when I started my job as a pentester. Doing a pentest on web APIs, reviewing it with my team lead and reading the OWASP Testing guide until I could dream it. As such, I would absolutely think of eWPT as a beginner course - something that INE also offers but then in the form of eJPT (Junior Pentester).

Video quiz!

The video lectures were not as stimulating as I had initially hoped they would be when I started. I did watch all of them, however, and there are absolutely golden nuggets of insight shared by the instructor. Remembering those can absolutely help you make decisions when you are applying your eWPT learned skills during your 9 to 5.

Quizzes are for sure an improvement point. These had at max 3 questions, which I think is a waste of potential. A lot of information is shared during the videos, which can absolutely be tested for during the multiple choice questions. As such, that feature was a bit of a let down.

Labs

The labs, in general, were good and enjoyable. But I think there’s some room for improvement there as well. Most of the labs did not have any ‘proof of work’ in them - only when they were custom made or modified by INE. There’s nothing wrong with using “off the shelf” open source vulnerable web apps, but these often had no ‘carrot’ on the stick - no flag for you to capture. You’d start them, there’s be a descriptive text of your assignment and you’d pwn those vulns in the web app.

This was mostly the case with labs where the target vulnerability was a real-life product. I find their inclusion amazing, but they had one downside. Once you figured out the version running, exploit-db was but a short google search away (not to mention the searchsploit CLI tool). You could, of course, argue to not use this script - if using exploit-db wasn’t the way described in the answer sheet.

Proof of work

Like I said, that there’s nothing wrong with having labs like this. It’s how you’d do it during a pentest as well. You showcase to the customer that they need to update their software, because you can get a reverse shell using a known exploit.

But does that ’teach’ you how, for example, blind SQLi works? I’m not so sure about that. Combined with the before mentioned easy quizzes make for a weak test of knowledge. Instead, the videos do most of the heavy lifting. It was very worthwhile to have the instructor walkthrough video, as his explanation on how the vuln works and how he exploited gave much needed context.

Taking notes

Yes. Take notes - lots of them.

Every terminal command used in the video? Write that down. Output too when you run them in the labs.

Identifying factors between In band and out-of-band SQLi? Don’t trust on understanding the powerpoint - write it down clearly for yourself.

This habit is very worthwhile, specially here. I recommend using Obsidian notes to keep the results stored in.

My structure was, for example:

• Cross Site Scripting
• • Reflected notes
• • Reflected lab
• • • Nmap
• • • Payloads

Having these things clearly visible in such a way helps you find them, because trust me, you’re going to need to find these things quickly when you going to do the…

Exam!

Once you felt comfortable, you could take a shot at the exam. You can do this at any time, without having to have completed any of the course material. There’s also no scheduling, as with OSCP. You feel like starting? Then click the start button. Click it again to confirm - and you’re good to go!

This also means it is not proctored, nobody watching you through the webcam. I liked that, because I always feel a bit uncomfortable when somebody is peering through my webcam, but I think it’s a good tool to hamper cheaters. In the end, you only fool yourself if you cheat.

The exam takes 10 hours. 10 hours of hacking a collection of machines inside set up just for you to find vulnerabilities on. Proof of your work is done by means of questions in your exam portal. I don’t want to share what the questions are, but if you do good work in the exam lab, you’ll be able to answer them easily.

This is specially the case if you’ve gone through all the theory, making notes on the tools and commands used in Kali Linux to find those vulnerabilities. Those will help you find your way through the exam like a knife through butter. Making notes is also my biggest tip for the exam. Don’t keep results in your terminal. Copy paste them to your Obsidian notes, making them easy to search and find.

Nervous

Whenever I have to do any form of test or exam where I’ll be graded, I tend to get nervous. Call it imposter syndrome or whatever, it will never get old!

I started on Friday morning at 11AM. Prepared with a large bottle of water and plenty of food to snack on while doing the exam, I clicked the button and read through all the provided information. Finding the answers and going through the exam lab was a lot of fun. Some of the machines were quite puzzling for me to get the correct vulnerablity, a fun puzzle. More often than not, it reminded me a lot about the most important thing: enumerate, enumerate, enumerate - specially in that limited time span.

You have the ability to look over you answers multiple times, which I absolutely did. This is why I wanted to say before that note taking is key, otherwise you’re going to have to re-run scripts. This can add to the stress, and we want to avoid that!

I was done with a few hours left to spare. Once you submit, a pop up warns you - asking you if you’re sure you want to submit. I clicked it, and you instantly get to know if you’ve passed on not.

Needless to say, I passed mine! As such, I’m happy and proud to share my badge here with you.

Should you do eWPT?

Depends! The fundamentals of the corse will help cement your foundation. If you’re experienced, you’ll get a good refresher on methodology, process and the core vulnerabilities but you might find other courses more worthwhile. But at around 600$, the price is good for what you’re getting. If you’re a beginner or a SecDevOps looking to expand his pentesting skills, you will find what you’re looking for with this course.

Changelog

• 2025/01/13 - Uploaded
• 2025/01/13 - Revised
• 2025/01/12 - Written